DEP ASLR bypass without ROP JIT : CanSecWest2013 Slides and Analysis

I have my own talk from CanSecwest to blog about but this one is more interesting and the most awaited one. So here are the slides, I will add my own analysis and test cases to this blog entry later. Interesting thing is we had this technique discussed on garage in novemberhttp://www.garage4hackers.com/f22/wi...innu-3080.html .

Yu Yang @tombkeeper did a demo of the technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .

And the exploit is scary, its a quick kaboom with out heap spray.
He calls this method GIFT [ Got it form a table] .
The simple technique is to change the VFT of wow64sharedinformation and it's ptr.